It will be difficult to enforce the law, which goes into effect on Jan. 1, said Michael Anderson, CTO and co-founder of tag-management company Tealium. Requiring data-collection vendors to explain how they respond to do-not-track signals is based on the assumption that "they actually do anything with the DNT header, which, to my knowledge, not a lot of data-collection vendors do support this," Anderson said.
The lack of a universal definition for a “do-not-track” signal is another large hole, noted Alison Pepper, senior director of public policy at the Interactive Advertising Bureau. “We still don’t have a clear definition of what do-not-track means and the [law’s] text is so ambiguous that compliance can be read in a variety of ways,” Pepper said.
In addition, requiring companies to determine which users are accessing their site from California will create “a location issue” that is particularly problematic from a mobile perspective, said Peter Cranston, CEO of 3PMobile, a software provider that helps companies extend its Web services to mobile users while balancing “the need for user data privacy and control.”
Under AB 370, “every ad server will have to determine where users are coming from which will create problems for the companies and in the end the consumer will still be inundated with ads,” Cranston said.
Several state and federal online privacy bills have been proposed in recent years, such as US Sen. Jay Rockefeller’s Do-Not-Track Online Act of 2013, which remains bogged down in a congressional committee. Despite its shortcomings, it is important to think of AB 370 as a “first step” towards greater privacy rights for consumers, Cranston added.
“When someone passes a law, that’s a defining part of history and what California did is just the beginning,” he said. “A lot needs to be improved upon, but at least this is a start.”